Remember Me using Spring 3.1 not working over HTTP sessions

Question

I'm trying to implement the Remember Me functionality that is part of Spring 3.1 to allow customers to automatically log in when they have previously selected that option in the login form. Here is my actual implementation:

In spring-security-config.xml:

<security:http auto-config="false" entry-point-ref="myEntryPoint" request-matcher="regex" disable-url-rewriting="true">
    ...
    <security:remember-me key="mykey" authentication-success-handler-ref="rememberMeAuthenticationSuccessHandler"/>
</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="acceleratorAuthenticationProvider" />
    <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
 </security:authentication-manager>

    <bean id="rememberMeAuthenticationSuccessHandler" class="uk.co.portaltech.qlaccelerator.storefront.security.RememberMeAuthenticationSuccessHandler" scope="tenant">
    <property name="myCookieStrategy" ref="myCookieStrategy" />
    <property name="customerFacade" ref="customerFacade" />
</bean>

    <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <property name="key" value="myKey" />
</bean>

My login.jsp contains the spring rememeber me checkbox:

<form:checkbox id="_spring_security_remember_me" class="rememberMe" path="_spring_security_remember_me" />

When I access the site the first time (over HTTP session) it doesn't log me in automatically but as soon as I click on the login button (over HTTPS session) it automatically logs me in.

Is this the way it is supposed to work or am I missing something in the configuration to let Spring log me in when I access the site?

Answer 1

remember me lets the app remember the user across sessions. meaning, if the server bounces or if the user closed his browser and reopened it. in these cases, the user will not be asked again for his credentials.

in your case that you describe, the user (you) enter his credentials, and only then logs in? what is "automatically" means?

htlpful links:

remember me result is ignored by spring security, and i am still redirected to the login page

Configuring remember-me in spring security

Answer 2

Check if the remember-me cookie is flagged as "secure" (look in your browser's cookie list). If so, it won't be sent over HTTP connections, which would explain what you see.

The default is to create a secure cookie if the request is over HTTPS. You can change this using the useSecureCookie property of the RememberMeServices implementation you are using.